chore(deps): update vite+ to v0.2.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite-plus (source)	0.1.24 → 0.2.0

---

Release Notes

voidzero-dev/vite-plus (vite-plus)

v0.2.0: vite-plus v0.2.0

Compare Source

Vite+ now consumes upstream Vitest directly (no wrapper), raises the minimum supported Node.js version to 22.18.0, and ships corepack and devEngines support.

Highlights

• vp test now runs upstream Vitest directly (breaking): Vite+ used to ship @voidzero-dev/vite-plus-test, a rebundled copy of Vitest that lagged upstream releases. That package is removed; vp test now runs the real upstream vitest, which is installed automatically as a dependency of vite-plus (you no longer add vitest or @vitest/* yourself, and vite still resolves to @voidzero-dev/vite-plus-core via package-manager overrides). Your import ... from 'vite-plus/test' code keeps working unchanged and vp migrate updates existing projects (#​1588), by @​Brooooooklyn
• Minimum supported Node.js version raised to ^22.18.0 || >=24.11.0 (breaking): Node 20 reached end-of-life and the bundled tsdown already required ^22.18.0, so the published engines range now matches what vp pack can actually deliver; vp exec / vp run / vp dlx reject projects resolving an older Node with the existing incompatibility error (#​1813), by @​fengmk2
• Corepack now works under Vite+: corepack now set up by default, so corepack enable and the pnpm/yarn launchers just work, even on Node 25+ which no longer ships it. (#​1808), by @​fengmk2
• devEngines support for runtime and package-manager selection: Vite+ reads devEngines.runtime (ranked above engines.node) and devEngines.packageManager; auto-pin and vp migrate write devEngines.packageManager, vp env pin / unpin target devEngines.runtime, and vp env doctor reports conflicts instead of silently resolving them (#​1760), by @​fengmk2

Features

• vp pm approve-builds: forward to npm's new approve-scripts / deny-scripts (npm >= 11.16.0) instead of the previous no-op, matching pnpm approve-builds / bun pm trust; mixed approve+deny is rejected with actionable guidance and npm's advisory-only caveat is surfaced (#​1733), by @​fengmk2
• vp create: support local monorepo templates declared in create.templates in vite.config.ts; vp create vite:generator scaffolds a Bingo generator and auto-registers it in the picker, replacing the old package.json-keyword inference (#​1777), by @​fengmk2
• vp create: detect direct dependencies whose build scripts the package manager gated (e.g. native builds like better-sqlite3) and act on them; prompt to approve each (default off) interactively, point at vp pm approve-builds non-interactively, or build them with --approve-builds (#​1828), by @​fengmk2
• vp config: add --no-hooks and --no-agent opt-outs to skip git-hook installation and coding-agent instruction updates (#​1842), by @​leno23
• vp list -g: sort the global package list output so entries appear in a stable order (#​1748), by @​liangmiQwQ
• Upgrade upstream dependencies: rolldown 1.0.3 -> 1.1.1, tsdown 0.22.1 -> 0.22.3, oxlint 1.67.0 -> 1.70.0, oxfmt 0.52.0 -> 0.55.0, vitest 4.1.8 -> 4.1.9, and the oxc toolchain 0.133.0 -> 0.136.0 (#​1749, #​1767, #​1812, #​1834, #​1855), by @​voidzero-guard[bot]

Fixes & Enhancements

• Security: resolve open Rust Dependabot advisories by bumping transitive openssl 0.10.76 -> 0.10.80 (openssl-sys 0.9.112 -> 0.9.116), fixing five high-severity rust-openssl issues (buffer overflows in key derivation, AES key wrap, and digest finalization; an unchecked PSK/cookie trampoline length leaking adjacent memory; and OCSP-responder undefined behavior: GHSA-pqf5-4pqq-29f5, GHSA-8c75-8mhr-p7r9, GHSA-ghm9-cr32-g9qj, GHSA-hppc-g8h3-xhp3, GHSA-xp3w-r5p5-63rr), and drop the unmaintained, unsound libyml (GHSA-gfxp-f68g-8x78, high) by removing dead serde_yml code (#​1742), by @​fengmk2
• Security (docs site): update mermaid 11.13.0 -> 11.15.0 to fix improper classDef sanitization in state diagrams that allowed HTML injection (CVE-2026-41149 / GHSA-ghcm-xqfw-q4vr, medium severity; <script> tags are stripped so it does not reach XSS) (#​1745), by @​renovate[bot]
• vp check --fix / vp staged: create/migrate now wrap inline Vite plugins: [...] arrays with lazyPlugins(...) so plugin factories aren't eagerly executed (and don't hang on open handles) during lint/format/check config loading (#​1752), by @​jong-kyung
• vp migrate: complete pending migration work for projects that already have vite-plus installed (scripts, imports, tsconfig types, ESLint/Prettier, legacy hooks, package-manager settings) instead of treating vite-plus as migration-complete; fully migrated projects stay idempotent (#​1821), by @​jong-kyung
• vp create / vp migrate: detect shorthand fmt, / lint, config keys so a duplicate inline block is no longer injected (#​1843), by @​fengmk2
• IDE oxlint/oxfmt wrappers: set VP_COMMAND so lazyPlugins() skips framework plugins during LSP config reads, preventing a stray .svelte-kit (and similar) directory at the monorepo root (#​1764), by @​jong-kyung
• vp lint / vp run -r lint on Windows: keep the absolute tsgolint path for workspace lint runs instead of downgrading it to a wrong cwd-relative path (#​1758), by @​semimikoh
• oxlint wrapper: set the tsgolint path so type-aware lint resolves it (#​1811), by @​jong-kyung
• vp install -g: use a unique backup directory and treat stale-backup cleanup as best-effort so a locked Windows binary no longer fails an otherwise successful reinstall (#​1753), by @​fengmk2
• vp install -g: remove stale managed binary shims when a reinstalled package drops a bin from its package.json#bin (#​1765), by @​liangmiQwQ
• vp create --git: surface git's actual stdout/stderr when the initial commit fails instead of always blaming user.name / user.email (#​1819), by @​fengmk2
• vp create vite:generator: reject --git / --no-git, since adding a generator to an existing monorepo does not initialize git (#​1788), by @​jong-kyung
• Global CLI: harden find_system_tool against a self-exec loop (skip the running executable's own bin directory) and fix two vite_global_cli tests that could hang (#​1820), by @​fengmk2
• CLI help: unify alias display (#​1832), show supported run options (#​1797), show --fail-if-no-match in exec help (#​1798), add the implode documentation link (#​1796), and handle nested-command typo help (#​1803), by @​jong-kyung

Docs

• Document vp create opt-out options (#​1790), by @​jong-kyung
• Document vp upgrade options (#​1847), by @​jong-kyung
• Align the config overview with the sidebar (#​1846), by @​jong-kyung
• Sync the documented command lists with the help output (#​1850), by @​jong-kyung
• Clarify lazy plugin side effects (#​1841), by @​leno23
• Add JongKyung's X profile (#​1844) and update Christoph's X profile (#​1845) on the team page, by @​jong-kyung

Refactor

• Remove the CLI tips system; the shortcuts it printed on vp install are already covered by the help system and added unnecessary complexity (#​1799), by @​cpojer

Chore

• Re-enable Renovate dependency updates with a targeted ignore-list (#​1744), by @​fengmk2
• Keep generated NAPI bindings during upgrade-deps (#​1759), by @​fengmk2
• Remove the vite_glob dependency from vite-plus (#​1763), by @​wan9chi
• Keep sync-remote from churning pnpm-workspace.yaml (dedupe minimumReleaseAgeExclude, preserve comments) (#​1787), by @​fengmk2
• Make unix just test runnable (#​1755), by @​situ2001
• CI: reuse just lint and just test as the single source of truth (#​1809), pin cargo-zigbuild to a git rev to fix the aarch64-musl link failure (#​1815), and keep upgrade-deps green when rolldown bumps oxc (#​1833), by @​fengmk2
• Update Rust to nightly-2026-06-10 (#​1725), typos to v1.47.1 / v1.47.2 (#​1772, #​1775), GitHub Actions (#​1778, #​1829), and npm packages (#​1779), by @​renovate[bot]
• Bump oxc-project/setup-node to v1.3.1 (#​1792), by @​Boshen
• Refresh trusted stack stats on the docs homepage (#​1786, #​1837), by @​voidzero-guard[bot]

Bundled Versions

Tool	Version	Source
vite	8.0.16	f94df87
rolldown	1.1.1	d7f919c
tsdown	0.22.3	npm
vitest	4.1.9	npm
oxlint	1.70.0	npm
oxlint-tsgolint	0.23.0	npm
oxfmt	0.55.0	npm

Upgrading from 0.1.24 to 0.2.0

This release has two breaking changes. For most projects the upgrade is vp upgrade, bump the project's vite-plus, then vp migrate.

1. Update the CLI

vp upgrade

2. Node.js 20 is no longer supported

The minimum supported Node.js version is now ^22.18.0 || >=24.11.0 (Node 20 reached end-of-life). If you are still on Node 20:

• Check your version: node --version (or vp env doctor)
• Move to a supported release: vp env pin 22.18.0 (or a newer LTS), or update your .node-version / devEngines.runtime

vp exec / vp run / vp dlx now refuse to run against a project that resolves Node < 22.18.0.

3. Vitest is now upstream (the wrapper is gone)

@voidzero-dev/vite-plus-test has been removed; Vite+ consumes upstream vitest directly. Bump vite-plus first, then migrate:

vp update vite-plus --latest    # project's vite-plus -> 0.2.0 (ignores the old range, updates the lockfile); monorepo: add -r
vp migrate                      # local vite-plus is now 0.2.0, so the new migration runs

vp update --latest re-resolves vite-plus to the newest release regardless of the old semver range, so the lockfile cannot pin you back to 0.1.24. The project's local vite-plus is then 0.2.0, and since the global vp delegates migrate to the project's local install, vp migrate runs the new migration.

• Your import { vi, ... } from 'vite-plus/test' code is unchanged. vp migrate rewrites any leftover vitest / @vitest/* imports and normalizes stale vitest: npm:@​voidzero-dev/vite-plus-test@* aliases.
• You no longer add vitest or @vitest/* yourself; they arrive transitively through vite-plus.

New Contributors

Welcome to our new contributor @​situ2001! 🎉

Full Changelog: voidzero-dev/vite-plus@v0.1.24...v0.2.0

Published Packages

• @voidzero-dev/vite-plus-core@0.2.0
• vite-plus@0.2.0

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

View the full commit: 6f97f09

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vite-plus@​0.2.0

View full report